### Critical Vulnerability Information #### Basic Information - **Vulnerable Manufacturer**: Shenzhen Jixiang Tenda Technology Co., Ltd. - **Vulnerability Level**: High Risk - **Affected Object Type**: Network Device - **Affected Product**: Tenda AC23 - **Affected Product Version**: Tenda AC23_V16.03.07.52 - **Is Component Vulnerability?**: No #### Vulnerability Overview Tenda AC23 contains a stack overflow vulnerability. This vulnerability arises from insufficient input length validation of the `deviceList` parameter in `/goform/setMacFilterCfg`. Attackers can exploit this vulnerability to execute arbitrary code on the system. #### Vulnerability Details Critical code snippet: ```c var = (char *)webGetVar((int)_, "macFilterType", &unk_4DA4BC); v8 = sub_46A748(var); if ( v8 ) { v14 = 0; v15 = 0; v16 = 0; v17 = 0; printf( "%s[%s:%s%d] %sset mac filter mode error!\n%x1B[0m", (const char *)off_4F3A3C, // "\x1B[0;33m" "formSetMacFilterCfg", 489, off_4F3A38); ABEL_23: snprintf(s, 0x108u, ("\"errorCode\":%d"), v4); return websTransfer(0L, s_); } s = (char *)webGetVar(a1, "deviceList", &unk_4DA4BC); v8 = sub_46AFDC(var, s); if ( !v8 ) ``` The `deviceList` parameter is ultimately passed as the first argument to `sub_46940` and copied onto the stack. Due to the lack of input validation, attackers can overwrite the stack to control the return address or construct a ROP chain. Since the symbol table is missing, gdb cannot trace offsets, but debugging reveals the potential for significant damage. #### Impact 1. Attackers can exploit this vulnerability to achieve remote code execution (RCE). 2. Attackers can exploit this vulnerability to cause service crashes. #### Mitigation Plan 1. Contact the vendor to obtain security patches and promptly fix the vulnerability. 2. Contact relevant security vendors to update security blocking policies in a timely manner. 3. Temporarily implement security checks on interface parameters.